Imperva, Inc., the comprehensive digital security leader on a mission to help organizations protect their data and all paths to it, warns that Account Takeover (ATO) attacks are surging in the wake of the growing popularity of ‘Buy Now, Pay Later’ (BNPL). Last year, ATO attacks grew by 148% across all sectors and, in the last month alone, the Imperva Threat Research Team found attacks against financial services and fintech firms have soared by 58%, demonstrating the extent to which bot operators are increasingly turning to ATO as a reliable source of profit and disruption.

The BNPL sector is experiencing astonishing growth and is expected to be worth nearly $4 trillion by 2030. It is also a highly attractive target for bot operators because many of the businesses offering BNPL loans are relatively new, meaning they don’t have large amounts of historical fraud data to help them identify potentially fraudulent purchases. On top of this, a lack of regulation surrounding BNPL loans in comparison to other credit agreements makes it easier for bot operators to commit Account Creation Fraud (ACF). ACF involves using stolen personal information from data breaches to create fake accounts and illegally purchase items.

“Successful ATO attacks or ACF harms everyone involved in the transaction,” says Lynn Marks, Senior Product Manager, Imperva. “For consumers, they can end up hundreds or thousands of pounds out of pocket, and potentially find their credit scores trashed as part of the bargain. Even if the money is recovered, the psychological toll can still be profound. And for businesses, they not only risk losing the entire value of the loan, but also incurring significant additional costs to support victims and investigate fraud claims, increased customer churn, and reputational damage for allowing accounts to be compromised.”

According to the 2022 Imperva Bad Bot Report, three of the top four industries most affected by ATO attacks (Financial Services, Travel, and Retail) are most likely to be involved in BNPL transactions. Indeed, more than a third of all ATO attacks (34.6%) were directed toward the financial services industry, which is at the centre of BNPL. Moving forward, as the move toward digital payments continues unabated - fueled in part by the boom in BNPL offerings - the rate of ATO attacks on Financial Services firms is likely going to carry on rising sharply.

“It’s essential that we don’t pigeonhole this as a problem that purely affects the payments industry,” continues Marks. “BNPL is immensely popular across all sectors, from entertainment and retail to travel and gaming and so every single one is at risk of being defrauded if they don’t have proper protections in place.”

Managing the risk of BNPL fraud requires a holistic approach that is grounded in an advanced bot protection solution that can detect and mitigate automated fraud, as well as help fraud teams prevent fraudulent activity on user accounts.